Helm安装harbor
docker(22):dockers企业级私有仓库harbor
Harbor 支持多种安装方式,源码目录下面默认有一个安装脚本(make/install.sh),采用 docker-compose 的形式运行 Harbor 各个组件,这里介绍另外一种简单的安装方法helm。Harbor 官方提供了对应的 Helm Chart。
1 下载
下载Harbor Chart 包到要安装的集群上,切换到我们需要安装的分支,比如我们这里使用 1.0.0分支
git clone https://github.com/goharbor/harbor-helm
cd harbor-helm
git checkout 1.0.0
2 创建持久化StorageClass
#cat harbor-data-sc.yaml
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: harbor-data
provisioner: fuseim.pri/ifs
kubectl create -f harbor-data-sc.yaml
storageclass.storage.k8s.io "harbor-data" created
3 自定义安装文件
修改Helm Chart 包values.yaml文件,我这里修改了ingress域名和存储pv
expose:
# 设置暴露服务的方式。将类型设置为 ingress、clusterIP或nodePort并补充对应部分的信息。
type: ingress
tls:
# 是否开启 tls,注意:如果类型是 ingress 并且tls被禁用,则在pull/push镜像时,则必须包含端口。详细查看文档:https://github.com/goharbor/harbor/issues/5291。
enabled: true
# 如果你想使用自己的 TLS 证书和私钥,请填写这个 secret 的名称,这个 secret 必须包含名为 tls.crt 和 tls.key 的证书和私钥文件,如果没有设置则会自动生成证书和私钥文件。
secretName: ""
# 默认 Notary 服务会使用上面相同的证书和私钥文件,如果你想用一个独立的则填充下面的字段,注意只有类型是 ingress 的时候才需要。
notarySecretName: ""
# common name 是用于生成证书的,当类型是 clusterIP 或者 nodePort 并且 secretName 为空的时候才需要
commonName: ""
ingress:
hosts:
core: harbor.wangxu.com
notary: notary.wangxu.com
annotations:
ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/ssl-redirect: "true"
ingress.kubernetes.io/proxy-body-size: "0"
nginx.ingress.kubernetes.io/proxy-body-size: "0"
clusterIP:
# ClusterIP 服务的名称
name: harbor
ports:
httpPort: 80
httpsPort: 443
# Notary 服务监听端口,只有当 notary.enabled 设置为 true 的时候有效
notaryPort: 4443
nodePort:
# NodePort 服务名称
name: harbor
ports:
http:
port: 80
nodePort: 30002
https:
port: 443
nodePort: 30003
notary:
port: 4443
nodePort: 30004
# Harbor 核心服务外部访问 URL。主要用于:
# 1) 补全 portal 页面上面显示的 docker/helm 命令
# 2) 补全返回给 docker/notary 客户端的 token 服务 URL
# 格式:protocol://domain[:port]。
# 1) 如果 expose.type=ingress,"domain"的值就是 expose.ingress.hosts.core 的值
# 2) 如果 expose.type=clusterIP,"domain"的值就是 expose.clusterIP.name 的值
# 3) 如果 expose.type=nodePort,"domain"的值就是 k8s 节点的 IP 地址
# 如果在代理后面部署 Harbor,请将其设置为代理的 URL
externalURL: https://harbor.wangxu.com
# 默认情况下开启数据持久化,在k8s集群中需要动态的挂载卷默认需要一个StorageClass对象。
# 如果你有已经存在可以使用的持久卷,需要在"storageClass"中指定你的 storageClass 或者设置 "existingClaim"。
#
# 对于存储 docker 镜像和 Helm charts 包,你也可以用 "azure"、"gcs"、"s3"、"swift" 或者 "oss",直接在 "imageChartStorage" 区域设置即可
persistence:
enabled: true
# 设置成"keep"避免在执行 helm 删除操作期间移除 PVC,留空则在 chart 被删除后删除 PVC
resourcePolicy: "keep"
persistentVolumeClaim:
registry:
# 使用一个存在的 PVC(必须在绑定前先手动创建)
existingClaim: ""
# 指定"storageClass",或者使用默认的 StorageClass 对象,设置成"-"禁用动态分配挂载卷
storageClass: "harbor-data"
subPath: ""
accessMode: ReadWriteOnce
size: 5Gi
chartmuseum:
existingClaim: ""
storageClass: "harbor-data"
subPath: ""
accessMode: ReadWriteOnce
size: 5Gi
jobservice:
existingClaim: "harbor-data"
storageClass: ""
subPath: ""
accessMode: ReadWriteOnce
size: 1Gi
# 如果使用外部的数据库服务,下面的设置将会被忽略
database:
existingClaim: ""
storageClass: "harbor-data"
subPath: ""
accessMode: ReadWriteOnce
size: 1Gi
# 如果使用外部的 Redis 服务,下面的设置将会被忽略
redis:
existingClaim: ""
storageClass: "harbor-data"
subPath: ""
accessMode: ReadWriteOnce
size: 1Gi
# 定义使用什么存储后端来存储镜像和 charts 包,详细文档地址:https://github.com/docker/distribution/blob/master/docs/configuration.md#storage
imageChartStorage:
# 正对镜像和chart存储是否禁用跳转,对于一些不支持的后端(例如对于使用minio的`s3`存储),需要禁用它。为了禁止跳转,只需要设置`disableredirect=true`即可,详细文档地址:https://github.com/docker/distribution/blob/master/docs/configuration.md#redirect
disableredirect: false
# 指定存储类型:"filesystem", "azure", "gcs", "s3", "swift", "oss",在相应的区域填上对应的信息。
# 如果你想使用 pv 则必须设置成"filesystem"类型
type: filesystem
filesystem:
rootdirectory: /storage
#maxthreads: 100
azure:
accountname: accountname
accountkey: base64encodedaccountkey
container: containername
#realm: core.windows.net
gcs:
bucket: bucketname
# The base64 encoded json file which contains the key
encodedkey: base64-encoded-json-key-file
#rootdirectory: /gcs/object/name/prefix
#chunksize: "5242880"
s3:
region: us-west-1
bucket: bucketname
#accesskey: awsaccesskey
#secretkey: awssecretkey
#regionendpoint: http://myobjects.local
#encrypt: false
#keyid: mykeyid
#secure: true
#v4auth: true
#chunksize: "5242880"
#rootdirectory: /s3/object/name/prefix
#storageclass: STANDARD
swift:
authurl: https://storage.myprovider.com/v3/auth
username: username
password: password
container: containername
#region: fr
#tenant: tenantname
#tenantid: tenantid
#domain: domainname
#domainid: domainid
#trustid: trustid
#insecureskipverify: false
#chunksize: 5M
#prefix:
#secretkey: secretkey
#accesskey: accesskey
#authversion: 3
#endpointtype: public
#tempurlcontainerkey: false
#tempurlmethods:
oss:
accesskeyid: accesskeyid
accesskeysecret: accesskeysecret
region: regionname
bucket: bucketname
#endpoint: endpoint
#internal: false
#encrypt: false
#secure: true
#chunksize: 10M
#rootdirectory: rootdirectory
imagePullPolicy: IfNotPresent
logLevel: debug
# Harbor admin 初始密码,Harbor 启动后通过 Portal 修改该密码
harborAdminPassword: "Harbor12345"
# 用于加密的一个 secret key,必须是一个16位的字符串
secretKey: "not-a-secure-key"
# 如果你通过"ingress"保留服务,则下面的Nginx不会被使用
nginx:
image:
repository: goharbor/nginx-photon
tag: v1.7.0
replicas: 1
# resources:
# requests:
# memory: 256Mi
# cpu: 100m
nodeSelector: {}
tolerations: []
affinity: {}
## 额外的 Deployment 的一些 annotations
podAnnotations: {}
portal:
image:
repository: goharbor/harbor-portal
tag: v1.7.0
replicas: 1
# resources:
# requests:
# memory: 256Mi
# cpu: 100m
nodeSelector: {}
tolerations: []
affinity: {}
podAnnotations: {}
core:
image:
repository: goharbor/harbor-core
tag: v1.7.0
replicas: 1
# resources:
# requests:
# memory: 256Mi
# cpu: 100m
nodeSelector: {}
tolerations: []
affinity: {}
podAnnotations: {}
adminserver:
image:
repository: goharbor/harbor-adminserver
tag: v1.7.0
replicas: 1
# resources:
# requests:
# memory: 256Mi
# cpu: 100m
nodeSelector: {}
tolerations: []
affinity: {}
podAnnotations: {}
jobservice:
image:
repository: goharbor/harbor-jobservice
tag: v1.7.0
replicas: 1
maxJobWorkers: 10
# jobs 的日志收集器:"file", "database" or "stdout"
jobLogger: file
# resources:
# requests:
# memory: 256Mi
# cpu: 100m
nodeSelector: {}
tolerations: []
affinity: {}
podAnnotations: {}
registry:
registry:
image:
repository: goharbor/registry-photon
tag: v2.6.2-v1.7.0
controller:
image:
repository: goharbor/harbor-registryctl
tag: v1.7.0
replicas: 1
nodeSelector: {}
tolerations: []
affinity: {}
podAnnotations: {}
chartmuseum:
enabled: true
image:
repository: goharbor/chartmuseum-photon
tag: v0.7.1-v1.7.0
replicas: 1
# resources:
# requests:
# memory: 256Mi
# cpu: 100m
nodeSelector: {}
tolerations: []
affinity: {}
podAnnotations: {}
clair:
enabled: true
image:
repository: goharbor/clair-photon
tag: v2.0.7-v1.7.0
replicas: 1
# 用于从 Internet 更新漏洞数据库的http(s)代理
httpProxy:
httpsProxy:
# clair 更新程序的间隔,单位为小时,设置为0来禁用
updatersInterval: 12
# resources:
# requests:
# memory: 256Mi
# cpu: 100m
nodeSelector: {}
tolerations: []
affinity: {}
podAnnotations: {}
notary:
enabled: true
server:
image:
repository: goharbor/notary-server-photon
tag: v0.6.1-v1.7.0
replicas: 1
# resources:
# requests:
# memory: 256Mi
# cpu: 100m
signer:
image:
repository: goharbor/notary-signer-photon
tag: v0.6.1-v1.7.0
replicas: 1
# resources:
# requests:
# memory: 256Mi
# cpu: 100m
nodeSelector: {}
tolerations: []
affinity: {}
podAnnotations: {}
database:
# 如果使用外部的数据库,则设置 type=external,然后填写 external 区域的一些连接信息
type: internal
internal:
image:
repository: goharbor/harbor-db
tag: v1.7.0
# 内部的数据库的初始化超级用户的密码
password: "changeit"
# resources:
# requests:
# memory: 256Mi
# cpu: 100m
nodeSelector: {}
tolerations: []
affinity: {}
external:
host: "192.168.0.1"
port: "5432"
username: "user"
password: "password"
coreDatabase: "registry"
clairDatabase: "clair"
notaryServerDatabase: "notary_server"
notarySignerDatabase: "notary_signer"
sslmode: "disable"
podAnnotations: {}
redis:
# 如果使用外部的 Redis 服务,设置 type=external,然后补充 external 部分的连接信息。
type: internal
internal:
image:
repository: goharbor/redis-photon
tag: v1.7.0
# resources:
# requests:
# memory: 256Mi
# cpu: 100m
nodeSelector: {}
tolerations: []
affinity: {}
external:
host: "192.168.0.2"
port: "6379"
# coreDatabaseIndex 必须设置为0
coreDatabaseIndex: "0"
jobserviceDatabaseIndex: "1"
registryDatabaseIndex: "2"
chartmuseumDatabaseIndex: "3"
password: ""
podAnnotations: {}
4 安装
[root@k8s-master harbor-helm]# helm install --name harbor -f values.yaml . --namespace kube-ops
NAME: harbor
LAST DEPLOYED: Mon Oct 21 14:53:15 2019
NAMESPACE: kube-ops
STATUS: DEPLOYED
RESOURCES:
==> v1/ConfigMap
NAME DATA AGE
harbor-harbor-adminserver 39 3s
harbor-harbor-chartmuseum 24 3s
harbor-harbor-clair 1 3s
harbor-harbor-core 1 3s
harbor-harbor-jobservice 1 3s
harbor-harbor-notary-server 5 3s
harbor-harbor-registry 2 3s
==> v1/Deployment
NAME READY UP-TO-DATE AVAILABLE AGE
harbor-harbor-adminserver 0/1 1 0 2s
harbor-harbor-chartmuseum 0/1 1 0 2s
harbor-harbor-clair 0/1 1 0 2s
harbor-harbor-core 0/1 1 0 2s
harbor-harbor-jobservice 0/1 1 0 2s
harbor-harbor-notary-server 0/1 1 0 2s
harbor-harbor-notary-signer 0/1 1 0 2s
harbor-harbor-portal 0/1 1 0 2s
harbor-harbor-registry 0/1 1 0 2s
==> v1/PersistentVolumeClaim
NAME STATUS VOLUME CAPACITY ACCESS MODES STORAGECLASS AGE
harbor-harbor-chartmuseum Bound kube-ops-harbor-harbor-chartmuseum-pvc-425d2dd1-e90e-42cc-af4c-959cf5c8ae6b 5Gi RWO harbor-data 3s
harbor-harbor-jobservice Bound kube-ops-harbor-harbor-jobservice-pvc-fee241f4-cd1a-4576-9c7f-18feef3c9e71 1Gi RWO harbor-data 3s
harbor-harbor-registry Bound kube-ops-harbor-harbor-registry-pvc-951e42b5-8a83-402d-ba43-e41809af6827 5Gi RWO harbor-data 3s
==> v1/Pod(related)
NAME READY STATUS RESTARTS AGE
harbor-harbor-adminserver-66779c5c5d-n4852 0/1 ContainerCreating 0 2s
harbor-harbor-chartmuseum-94cc9cf7b-jzfms 0/1 Pending 0 2s
harbor-harbor-clair-7d6646c5df-4crst 0/1 ContainerCreating 0 2s
harbor-harbor-core-6c7c4445b-dzpcp 0/1 ContainerCreating 0 2s
harbor-harbor-database-0 0/1 Pending 0 2s
harbor-harbor-jobservice-66dbb69cdf-m54h6 0/1 Pending 0 2s
harbor-harbor-notary-server-694b75767f-xlqhx 0/1 Pending 0 2s
harbor-harbor-notary-signer-b6f8b4564-dj8tc 0/1 Pending 0 2s
harbor-harbor-portal-8fd4f9ff9-d92m8 0/1 ContainerCreating 0 2s
harbor-harbor-redis-0 0/1 Pending 0 2s
harbor-harbor-registry-946d7dffc-hdggn 0/2 Pending 0 2s
==> v1/Secret
NAME TYPE DATA AGE
harbor-harbor-adminserver Opaque 4 3s
harbor-harbor-chartmuseum Opaque 1 3s
harbor-harbor-core Opaque 4 3s
harbor-harbor-database Opaque 1 3s
harbor-harbor-ingress kubernetes.io/tls 3 3s
harbor-harbor-jobservice Opaque 1 3s
harbor-harbor-registry Opaque 1 3s
==> v1/Service
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
harbor-harbor-adminserver ClusterIP 10.100.68.4 <none> 80/TCP 3s
harbor-harbor-chartmuseum ClusterIP 10.101.178.155 <none> 80/TCP 2s
harbor-harbor-clair ClusterIP 10.105.121.19 <none> 6060/TCP 2s
harbor-harbor-core ClusterIP 10.103.3.101 <none> 80/TCP 2s
harbor-harbor-database ClusterIP 10.98.103.6 <none> 5432/TCP 2s
harbor-harbor-jobservice ClusterIP 10.108.173.14 <none> 80/TCP 2s
harbor-harbor-notary-server ClusterIP 10.99.236.15 <none> 4443/TCP 2s
harbor-harbor-notary-signer ClusterIP 10.110.155.9 <none> 7899/TCP 2s
harbor-harbor-portal ClusterIP 10.96.129.206 <none> 80/TCP 2s
harbor-harbor-redis ClusterIP 10.96.89.36 <none> 6379/TCP 2s
harbor-harbor-registry ClusterIP 10.109.222.50 <none> 5000/TCP,8080/TCP 2s
==> v1/StatefulSet
NAME READY AGE
harbor-harbor-database 0/1 2s
harbor-harbor-redis 0/1 2s
==> v1beta1/Ingress
NAME HOSTS ADDRESS PORTS AGE
harbor-harbor-ingress harbor.wangxu.com,notary.wangxu.com 80, 443 2s
NOTES:
Please wait for several minutes for Harbor deployment to complete.
Then you should be able to visit the Harbor portal at https://core.harbor.domain.
For more details, please visit https://github.com/goharbor/harbor.
[root@k8s-master harbor-helm]#
稍微等5分钟,就可以安装成功了,查看对应的 Pod 状态:
[root@k8s-master harbor-helm]# kubectl get pods -n kube-ops
NAME READY STATUS RESTARTS AGE
harbor-harbor-adminserver-66779c5c5d-n4852 1/1 Running 1 15m
harbor-harbor-chartmuseum-94cc9cf7b-jzfms 1/1 Running 0 15m
harbor-harbor-clair-7d6646c5df-4crst 1/1 Running 0 15m
harbor-harbor-core-6c7c4445b-dzpcp 1/1 Running 3 15m
harbor-harbor-database-0 1/1 Running 0 15m
harbor-harbor-jobservice-66dbb69cdf-m54h6 1/1 Running 8 15m
harbor-harbor-notary-server-694b75767f-xlqhx 1/1 Running 0 15m
harbor-harbor-notary-signer-b6f8b4564-dj8tc 1/1 Running 0 15m
harbor-harbor-portal-8fd4f9ff9-d92m8 1/1 Running 0 15m
harbor-harbor-redis-0 1/1 Running 0 15m
harbor-harbor-registry-946d7dffc-hdggn 2/2 Running 0 15m
jenkins2-8b7f7bdb7-fzpp8 1/1 Running 0 5h29m
[root@k8s-master harbor-helm]#
现在都是Running状态了,都成功运行起来了,查看下对应的 Ingress 对象:
[root@k8s-master harbor-helm]# kubectl get ingress -n kube-ops
NAME HOSTS ADDRESS PORTS AGE
harbor-harbor-ingress harbor.wangxu.com,notary.wangxu.com 80, 443 14m
5 访问
如果你有自己的真正的域名,则将上面的两个域名解析到你的任意一个 Ingress Controller 的 Pod 所在的节点即可,我们这里为了演示方便,还是自己在本地的/etc/hosts里面添加上harbor.wangxu.com和notary.wangxu.com的映射。
10.6.76.23 harbor.wangxu.com notary.wangxu.com
10.6.76.24 harbor.wangxu.com notary.wangxu.com
配置的 Ingress 中会强制跳转到 https,所以如果你的浏览器有什么安全限制的话,需要信任我们这里 Ingress 对应的证书,证书文件可以通过查看 Secret 资源对象获取:
然后输入用户名:admin,密码:Harbor12345(当然我们也可以通过 Helm 安装的时候自己覆盖 harborAdminPassword)即可登录进入 Portal 首页:
默认情况下会有一个名叫library的项目,改项目默认是公开访问权限的,进入项目可以看到里面还有 Helm Chart 包的管理,可以手动在这里上传,也可以对改项目里面的镜像进行一些配置,比如是否开启自动扫描镜像功能:
6 docker cli访问
使用 docker cli 来进行 pull/push 镜像,由于安装的时候通过 Ingress 来暴露的 Harbor 的服务,而且强制使用了 https,所以如果要在终端中使用我们这里的私有仓库的话,就需要配置上相应的证书:
[root@k8s-master harbor-helm]# docker login harbor.wangxu.com
Username: admin
Password:
Error response from daemon: Get https://harbor.wangxu.com/v2/: x509: certificate signed by unknown authority
[root@k8s-master harbor-helm]#
这是因为我们没有提供证书文件,我们将使用到的ca.crt
文件复制到/etc/docker/certs.d/registry.qikqiak.com
目录下面,如果该目录不存在,则创建它。ca.crt 这个证书文件我们可以通过 Ingress 中使用的 Secret 资源对象来提供:
# kubectl get secret harbor-harbor-ingress -n kube-ops -o yaml
apiVersion: v1
data:
ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM5VENDQWQyZ0F3SUJBZ0lSQUtNbWp6QUlHcFZKUmZxNnJDdDMySGN3RFFZSktvWklodmNOQVFFTEJRQXcKRkRFU01CQUdBMVVFQXhNSmFHRnlZbTl5TFdOaE1CNFhEVEU1TVRBeU1UQTJOVE14T0ZvWERUSXdNVEF5TURBMgpOVE14T0Zvd0ZERVNNQkFHQTFVRUF4TUphR0Z5WW05eUxXTmhNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DCkFROEFNSUlCQ2dLQ0FRRUF1enp5anRXaStzbm55b0hWc0R1cHRERDF6ZnFvWWpsaFNGTkxBMUdtNmorWkRuR0gKVWJKeGpCMlJ5aDRvN2N5cUF6VFE3YnBhM2ZUeXJmQWo4K0RTZzdCVGNQcy8ycng1aHhrTHowWjJ5ODJ4ZmpaZgplMndPVFRvZ0NtakljZGMwOFNCVVBvSWVQRzBka2NOUnR2U2tENGFVZkx3UE42MmNWNUNidEFSazh4TGwrN3N3ClBLQUx4ZlFVTkt1RGlobXY3blRTUnVIWkoxQXFsS09CdWE4NnhpSVF6T2hlOVhaYUZTRjBGZEZUNVc0eUVkaXkKOGExelNIV0l3eklUaWs2WU82ZFE2T3N1QVV4SUFBREtMVlJYTWszMWlvZ2s0K24zYmxzTnlYR3R0OStwa0FyVwphWXJvcXRXK2FmUGxlUndDQ25DZGUydk9WMndqSTh3a291YW5Xd0lEQVFBQm8wSXdRREFPQmdOVkhROEJBZjhFCkJBTUNBcVF3SFFZRFZSMGxCQll3RkFZSUt3WUJCUVVIQXdFR0NDc0dBUVVGQndNQ01BOEdBMVVkRXdFQi93UUYKTUFNQkFmOHdEUVlKS29aSWh2Y05BUUVMQlFBRGdnRUJBQlBoMnVIRm0xcnp6ekdydkFLQnRjZnMxK3I0MzFrNQpWMWtjampraUl4U0FFQ1d2dW9TSGdXVkVHNVpGRjdScVRnVFl4bEduQ0hUUXpOOXlxRnUxSXU3MmdTcXBNSkZiCmkrRG9kMllDNThhL2h6WC9mWFNhREtqRnVRaWl4QlhGM0E4SlFxL2hucWVXU2pFYnRFaWhQMVlKMGNmQXZaTDAKSmJLVXgyRUluVkhReVh0bXMvcWVHZkpLbHVCTmRVWDFoNklvM0ZzLzVjeVUxeFB3ZEpJaERmMHlYMDlKb3pRMgpydzVaeEhyNGpxT2xpRTBTZCtjRVRFVCsvR2xMUGJWRmZDVDlKZms4S1VXeHZLMnN6aDdYTmRvaGErSjNDZTgrClVPZTIvZkpmdWRWRVdjRlY4a2pOOHVudHd6SWJ2cHpJa3RmY2hWT2NHMEFUZnNXNCs5ZmFRK2c9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURLakNDQWhLZ0F3SUJBZ0lRTFNicmtJYlEzVFQrT3hrSlBEMldMREFOQmdrcWhraUc5dzBCQVFzRkFEQVUKTVJJd0VBWURWUVFERXdsb1lYSmliM0l0WTJFd0hoY05NVGt4TURJeE1EWTFNekU0V2hjTk1qQXhNREl3TURZMQpNekU0V2pBY01Sb3dHQVlEVlFRREV4Rm9ZWEppYjNJdWQyRnVaM2gxTG1OdmJUQ0NBU0l3RFFZSktvWklodmNOCkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFQUXhVTXc3ZEUzMDJLL1NyRTFkL3pmVWZLcmF5MHB3MlFOcFZNL0kKNFR4TVNjR2dYc0Y0RXZGcHM0NUYvajhIRXVrNWJIanlyR0RzaUxocjRpU294UkNLQk1pOEUvMnppVTVvSWRqUgpSWWU2aysvQU8rNUI4VXdmUHQ1VC9JM29ReUdyVmtDWXRxK2ROTHczYldVRHBJNFBoTmdETHRURTV2Y1BhRGFGCk1xRUszVlJKQmJqeHJIUndHTWNXNmhraGIvb3dNZmVGOXo3WjRUWHpPM2ZIcHpnMWhnU3dDcU9JeEhQNE5LYW4KOVNOdW0xMkpKeGgyVlZyOXFBNWg5K29tNXpySjQ0bFB5UFlFRStWRjc0MXF1QUl5eGtpcC9JMkxZYmdZZkNpUwpyRWVXM0Y2TlMrbnRDWkd6OUpySjJRc2lhVHUwR1JmZEIvNDZIN2c3SGxjQmJVMENBd0VBQWFOd01HNHdEZ1lEClZSMFBBUUgvQkFRREFnV2dNQjBHQTFVZEpRUVdNQlFHQ0NzR0FRVUZCd01CQmdnckJnRUZCUWNEQWpBTUJnTlYKSFJNQkFmOEVBakFBTUM4R0ExVWRFUVFvTUNhQ0VXaGhjbUp2Y2k1M1lXNW5lSFV1WTI5dGdoRnViM1JoY25rdQpkMkZ1WjNoMUxtTnZiVEFOQmdrcWhraUc5dzBCQVFzRkFBT0NBUUVBYmJaakw5cG1Gd3RRL2tNdVhNZmNtNnpzCkVRVVBQcmhwZXREVk9sYWtOYjhlNERTaTNDcWhicTFLTmxFdEQwd0kwOVhESG1IUEw1dXpXK2dkbzRXWnRhNUYKTjhJVnJJMStwc2R1bkdYZWxNODdJNlh6YzFzMnpIVGY3VHUreHZ4V3VsYnVZRVU5OEpheXVpa0N6L2VDMm5FdApQaVg3anZvNVBwQ1RYb2tFUG5DTlVZODZYQ3ptbWVhbTNpTFIza3pSOEdmNjRydWh4MXl2VkxEdjZiQ3NkdXJ0Ck1ORE5wbTc0aXp4aWJjRmtwWGhWZWY1ZGNvNVExakVTRmxXOEd5MnRBbXYyZFdTdW5tSWRaaXZweHpGaXdyWU4KWjkxLzR2RHdJZE5OeHo5SUIrN0ZYVVpTazQveW9PZ25pTWZTTnJhMHdwclZMZjZTdysrQUdtRnB5VTYyNUE9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBOURGUXpEdDBUZlRZcjlLc1RWMy9OOVI4cXRyTFNuRFpBMmxVejhqaFBFeEp3YUJlCndYZ1M4V216amtYK1B3Y1M2VGxzZVBLc1lPeUl1R3ZpSktqRkVJb0V5THdUL2JPSlRtZ2gyTkZGaDdxVDc4QTcKN2tIeFRCOCszbFA4amVoRElhdFdRSmkycjUwMHZEZHRaUU9ramcrRTJBTXUxTVRtOXc5b05vVXlvUXJkVkVrRgp1UEdzZEhBWXh4YnFHU0Z2K2pBeDk0WDNQdG5oTmZNN2Q4ZW5PRFdHQkxBS280akVjL2cwcHFmMUkyNmJYWWtuCkdIWlZXdjJvRG1IMzZpYm5Pc25qaVUvSTlnUVQ1VVh2aldxNEFqTEdTS244all0aHVCaDhLSktzUjViY1hvMUwKNmUwSmtiUDBtc25aQ3lKcE83UVpGOTBIL2pvZnVEc2VWd0Z0VFFJREFRQUJBb0lCQVFDOHgzZElQRnBnZmY0YQpod3JQVVBDaVQ3SUZQOXBUZFVRLzMrbENMWEQ2OVpzN2htaGF0eUlsNGVwKy9kdGRESEh4UFlSL1NGUTlKZjlZClc0YmJnbUcrdElTWVR0WkJsczk2ZndSVG93MVdyY1g2WGltMnV1SDVVRnFBOUhyVmxnNTM5QVpkTC9KamQyd3kKYWNNM2lZWm9rTlRKVGtTaEZvdmJ5ZHh0OGJFL1R5MDFoY2dtSCtTZmxPT0g1bTJyYVNBTFF3SVY5bG9QSWlsWgpzTGFtSzZFNU1rS0pITmVuQmFjVDJwSHl0R2VEbzlXQW1uSGQ2THp0SkxTNzk2dHFZZ1FSMDdDS1VSa09xZ2tUClJWRW9WbzgyWDRHeWI5VmJxQVlIWDNYY3l0VW9QaTZvNE5qRlFUWW9yWGttRHBub25DWXRYaWp0bXljdEZmbEcKc3ZHYXpzT2RBb0dCQVBSQmFMZzhqWGJ3S0p2TzRhSUVDemhLUzlhRDlDOHd6Kzd6SmsrbmZwTDhvbzFYdmlHQwpOMStuRjNaR2NZVk9nNzViOStXdGFHQyswRnY3MjA5em00TittVWFIejAxaExoSjhwZnppc1hoN1JZTDJjQkZPCitTVW9tNlBvcDNFTmtjMEl3ZDZZU1dpUm5MOCtYT0R2UXR4VWtXNUtEVEVIZThndHRVS2V4ay9MQW9HQkFQL3YKSWZzSTZpSjlrNStHMXJYbFNJYWo0RTdsT0VhdU9MWnI0U0FsWWg1anhFU1JFNjRBeENya2h0cjZjOXVJS0p1WApJLzNRcEp4TmpCSzI4NzJ3aWMrU25kK0dvb1E1RG5Ub3QxN2FwVko2L2xkUXZqdUduZjJ2d0p0S25MVEJreE1IClJ0SzdyQmNhNGVoSWNXK2ZJN3ZpMzh3Rys5N3lNTENqaEprOXdtUkhBb0dBWXlZbUJ4dDFaVUZwaW8yNUk1WTIKbzd2cyt3QUhZQnlWVzI3U0wyVlRTUUZLVHN1K1AwWG5pbWwrYWFHQXRWZEF2VVlCNC9hM053WmQ5K2pOaG52cwpOYjF2SktVK2JpK3pqd2VRTFk0cjhqYy82VUIyRDJDYVhBNFcxN3M2TlBjSUowMlZ2UERlWTVjd0pLV0ErRUhIClJ6OEE1ZDhqYWJLYStaQXNVd1cyaEc4Q2dZQkJTWEV6cG95RGkrRXltcVQrOWFSUXBGRStEdjhTR0xOaTVaWWkKS3ljaWRYVEZ3UFJ5T01QUjVVWDVhbFpQdENZWHVyQjF1Tm1rL2Fzend2UGVlY0JOOFNyUXNIbVluUzF3NlVTTgpyOXpvYzNPYU5vQ3drcUNPN0Z5SHdMckU2WFJwTUR3QzJka0djOWNZK0JIbjFZSzZGUi9kM2hJMlJ6WGdlWFlECjJWdFRWUUtCZ1FEYXd3dStQbXNOT2JTcUJQMWtUUXp4cHpIM2svZjF1U0REczJWSmd2dEt2UlZ5YmF0WXd5SFcKVTVabmVjUi91RWZPK1VkeHQrYW9sWEtXMG5mZFo2Q0RSOW5wTmFTcDF5SVJJeStlYUpvK21ySVVrdnhKNFl1cwpETnJTbGU2QWhGNUE1QkphbjlsbUFGZ0VleWRpR2tHKzg1bEVVYTJlNElSbk1FSjRYOHJITHc9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=
kind: Secret
metadata:
creationTimestamp: "2019-10-21T06:53:21Z"
labels:
app: harbor
chart: harbor
heritage: Tiller
release: harbor
name: harbor-harbor-ingress
namespace: kube-ops
resourceVersion: "7297296"
selfLink: /api/v1/namespaces/kube-ops/secrets/harbor-harbor-ingress
uid: c35d0829-3a35-425c-ac45-fdd5db7d7694
type: kubernetes.io/tls
[root@k8s-master harbor-helm]#
其中 data 区域中 ca.crt 对应的值就是我们需要证书,不过需要注意还需要做一个 base64 的解码,这样证书配置上以后就可以正常访问了。
不过由于上面的方法较为繁琐,所以一般情况下面我们在使用 docker cli 的时候是在 docker 启动参数后面添加一个--insecure-registry
参数来忽略证书的校验的,在 docker 启动配置文件/etc/docker/daemon.json
中修改的启动参数:
# cat /etc/docker/daemon.json
{
"registry-mirrors": ["http://hub-mirror.c.163.com"],
"exec-opts": ["native.cgroupdriver=systemd"],
"insecure-registries": ["harbor.wangxu.com"]
}
然后保存重启 docker,再使用 docker cli 就没有任何问题了:
[root@k8s-master harbor-helm]# docker login harbor.wangxu.com
Username: admin
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
[root@k8s-master harbor-helm]#
7 上传镜像
本地现在有一个名为 busybox 的镜像,现在我们想要将该镜像推送到我们的私有仓库中去,应该怎样操作呢?首先我们需要给该镜像重新打一个harbor.wangxu.com 的前缀,然后推送的时候就可以识别到推送到镜像仓库
[root@k8s-master harbor-helm]# docker images| grep busybox
busybox latest 19485c79a9bb 6 weeks ago 1.22MB
[root@k8s-master harbor-helm]# docker tag busybox harbor.wangxu.com/library/busybox
[root@k8s-master harbor-helm]# docker push harbor.wangxu.com/library/busybox
The push refers to repository [harbor.wangxu.com/library/busybox]
6c0ea40aef9d: Pushed
latest: digest: sha256:dd97a3fe6d721c5cf03abac0f50e2848dc583f7c4e41bf39102ceb42edfd1808 size: 527
[root@k8s-master harbor-helm]#
镜像 push 成功,同样可以测试下 pull:
[root@k8s-master ~]# docker rmi harbor.wangxu.com/library/busybox:v1
Untagged: harbor.wangxu.com/library/busybox:v1
Untagged: harbor.wangxu.com/library/busybox@sha256:dd97a3fe6d721c5cf03abac0f50e2848dc583f7c4e41bf39102ceb42edfd1808
[root@k8s-master ~]# docker images|grep busy
busybox latest 19485c79a9bb 6 weeks ago 1.22MB
[root@k8s-master ~]# docker pull harbor.wangxu.com/library/busybox:v1
v1: Pulling from library/busybox
Digest: sha256:dd97a3fe6d721c5cf03abac0f50e2848dc583f7c4e41bf39102ceb42edfd1808
Status: Downloaded newer image for harbor.wangxu.com/library/busybox:v1
harbor.wangxu.com/library/busybox:v1
[root@k8s-master ~]# docker pull harbor.wangxu.com/library/busybox:latest
latest: Pulling from library/busybox
Digest: sha256:dd97a3fe6d721c5cf03abac0f50e2848dc583f7c4e41bf39102ceb42edfd1808
Status: Downloaded newer image for harbor.wangxu.com/library/busybox:latest
harbor.wangxu.com/library/busybox:latest
[root@k8s-master ~]# docker images|grep busy
busybox latest 19485c79a9bb 6 weeks ago 1.22MB
harbor.wangxu.com/library/busybox latest 19485c79a9bb 6 weeks ago 1.22MB
harbor.wangxu.com/library/busybox v1 19485c79a9bb 6 weeks ago 1.22MB
[root@k8s-master ~]#
上传镜像错误 不要设置阻止漏洞镜像
Error response from daemon: unknown: Cannot get the image severity.